8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc

General

Target

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Size

24KB
MD5

9a70f898baa94812d9810595c09c413b
SHA1

11b8602b99b7ba71d834c9a16aef5209836cf718
SHA256

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc
SHA512

a2f3a231b2c4e66855abe8a5c58050c2f3fbf6b8dbbf01bdbdb17008e8d0ee73268b8510a2feb484ce47637ae25a60812d4a748c6952484623abaee1af7ecaf7
SSDEEP

768:GvEwVMWLfB0DXrUk1T6y/vLEtMhv+bMauUrdEMzV:mVxLfw1TGyv+XbpEQ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

5052 icacls.exe
3124 takeown.exe
920 icacls.exe
4304 takeown.exe
4504 icacls.exe
1740 takeown.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4304 takeown.exe
4504 icacls.exe
1740 takeown.exe
5052 icacls.exe
3124 takeown.exe
920 icacls.exe

pid	process
5052	icacls.exe
3124	takeown.exe
920	icacls.exe
4304	takeown.exe
4504	icacls.exe
1740	takeown.exe

pid	process
4304	takeown.exe
4504	icacls.exe
1740	takeown.exe
5052	icacls.exe
3124	takeown.exe
920	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\123C98C.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\123CFE6.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\sxload.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\123B9FA.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

Drops file in Program Files directory 1 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxcs.tmp 8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3236 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxcs.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid	process
3236	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid	process
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Token: SeTakeOwnershipPrivilege	4304	takeown.exe
Token: SeDebugPrivilege	3236	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid	process
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 1836	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 1836	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 1836	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 1836 wrote to memory of 4028	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 4028	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 4028	1836	cmd.exe	cmd.exe
PID 4028 wrote to memory of 4304	4028	cmd.exe	takeown.exe
PID 4028 wrote to memory of 4304	4028	cmd.exe	takeown.exe
PID 4028 wrote to memory of 4304	4028	cmd.exe	takeown.exe
PID 1836 wrote to memory of 4504	1836	cmd.exe	icacls.exe
PID 1836 wrote to memory of 4504	1836	cmd.exe	icacls.exe
PID 1836 wrote to memory of 4504	1836	cmd.exe	icacls.exe
PID 3328 wrote to memory of 4516	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 4516	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 4516	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 4516 wrote to memory of 3312	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 3312	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 3312	4516	cmd.exe	cmd.exe
PID 3312 wrote to memory of 1740	3312	cmd.exe	takeown.exe
PID 3312 wrote to memory of 1740	3312	cmd.exe	takeown.exe
PID 3312 wrote to memory of 1740	3312	cmd.exe	takeown.exe
PID 4516 wrote to memory of 5052	4516	cmd.exe	icacls.exe
PID 4516 wrote to memory of 5052	4516	cmd.exe	icacls.exe
PID 4516 wrote to memory of 5052	4516	cmd.exe	icacls.exe
PID 3328 wrote to memory of 4148	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 4148	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 4148	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 4148 wrote to memory of 4564	4148	cmd.exe	cmd.exe
PID 4148 wrote to memory of 4564	4148	cmd.exe	cmd.exe
PID 4148 wrote to memory of 4564	4148	cmd.exe	cmd.exe
PID 4564 wrote to memory of 3124	4564	cmd.exe	takeown.exe
PID 4564 wrote to memory of 3124	4564	cmd.exe	takeown.exe
PID 4564 wrote to memory of 3124	4564	cmd.exe	takeown.exe
PID 4148 wrote to memory of 920	4148	cmd.exe	icacls.exe
PID 4148 wrote to memory of 920	4148	cmd.exe	icacls.exe
PID 4148 wrote to memory of 920	4148	cmd.exe	icacls.exe
PID 3328 wrote to memory of 3236	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 3328 wrote to memory of 3236	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 3328 wrote to memory of 3236	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 3328 wrote to memory of 3400	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 3400	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 3328 wrote to memory of 3400	3328	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
"C:\Users\Admin\AppData\Local\Temp\8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "cstrike-online.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
253B

MD5
9df09e9265cd1e4cc651f52b9aa4c1c1

SHA1
9a609c00facd857bb159325ca8b100939bdd2073

SHA256
7016477d097a69d90ddf1c581c54290e7514b00f2883f51107cebf2937f3d93f

SHA512
12bded1d9cf3fd654223b53cc064ab3124e810e0b1850c85d4d87f98cef9f26a1623cb9bce8516f2cd3216f9aed7e38d30797a76c869850bb795668162c38911

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
192KB

MD5
c5aeb7380529d5a609517e724bcf54fc

SHA1
f0af09b6abb466bfa80e60fa705af5e665e2a4a3

SHA256
7069b1d3c2a83a731e07e8a9bc068c0460dece876e46c883da86660da4c7ebd1

SHA512
ba1f2af12e6ce7d5a5db00f48193b1888d2352e7459a38f0cf310d5df82806b58c9e72d9208ab9e3fe66a161e09a614b01cbbb823d1a1046f5dd6ae234b0cbcc

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
12KB

MD5
e8e5bb24636ba0fb68e42defc8fd5a85

SHA1
7a6042c4b5c43f2066adde46f43e63e5a697729e

SHA256
c69d6190423cf0f2b81acf2745200b7009a5d6ef0f1845351cedf72587794517

SHA512
2dc4b0ecd185c4432fec463d916b9513280ebcf295dba84338d6677611c854d2e5c244885c969c85864f7e3d7eb801e10a8f34202fb7eb768671fa49bf756471

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
192KB

MD5
c5aeb7380529d5a609517e724bcf54fc

SHA1
f0af09b6abb466bfa80e60fa705af5e665e2a4a3

SHA256
7069b1d3c2a83a731e07e8a9bc068c0460dece876e46c883da86660da4c7ebd1

SHA512
ba1f2af12e6ce7d5a5db00f48193b1888d2352e7459a38f0cf310d5df82806b58c9e72d9208ab9e3fe66a161e09a614b01cbbb823d1a1046f5dd6ae234b0cbcc

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
12KB

MD5
e8e5bb24636ba0fb68e42defc8fd5a85

SHA1
7a6042c4b5c43f2066adde46f43e63e5a697729e

SHA256
c69d6190423cf0f2b81acf2745200b7009a5d6ef0f1845351cedf72587794517

SHA512
2dc4b0ecd185c4432fec463d916b9513280ebcf295dba84338d6677611c854d2e5c244885c969c85864f7e3d7eb801e10a8f34202fb7eb768671fa49bf756471

Download Submit
memory/920-148-0x0000000000000000-mapping.dmp

Download
memory/1740-140-0x0000000000000000-mapping.dmp

Download
memory/1836-132-0x0000000000000000-mapping.dmp

Download
memory/3124-147-0x0000000000000000-mapping.dmp

Download
memory/3236-151-0x0000000000000000-mapping.dmp

Download
memory/3312-139-0x0000000000000000-mapping.dmp

Download
memory/3400-152-0x0000000000000000-mapping.dmp

Download
memory/4028-134-0x0000000000000000-mapping.dmp

Download
memory/4148-144-0x0000000000000000-mapping.dmp

Download
memory/4304-135-0x0000000000000000-mapping.dmp

Download
memory/4504-136-0x0000000000000000-mapping.dmp

Download
memory/4516-137-0x0000000000000000-mapping.dmp

Download
memory/4564-146-0x0000000000000000-mapping.dmp

Download
memory/5052-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads